With Null Credentials
nmap
nmap --script=smb-enum* -p 139,445 DC01.heist.offsec
PORT STATE SERVICE
139/tcp open netbios-ssn
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
netexec
Enumerate host
netexec smb DC01.heist.offsec
SMB 192.168.247.165 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:heist.offsec) (signing:True) (SMBv1:False)
No anonymous access but this gives more specific info on the OS version. Added to Findings.
enum4linux-ng
enum4linux-ng -A $IP
...
[!] Aborting remainder of tests since sessions failed, rerun with valid credentials
Continue: 8080 HTTP(S)
With enox:california
netexec
Enumerate host
netexec smb DC01.heist.offsec
SMB 192.168.109.165 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:heist.offsec) (signing:True) (SMBv1:False)
SMB 192.168.109.165 445 DC01 [+] heist.offsec\enox:california
This confirms our credentials are valid. Can we list shares?
smbclient -U enox --password 'california' -L '\\192.168.159.165'
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SYSVOL seems like it could be promising. Iβll download it for offline searching:
smbclient -U enox --password 'california' '\\192.168.159.165\SYSVOL' -c "prompt OFF; recurse ON;mget *"
tree .
.
βββ DfsrPrivate
βββ Policies
βΒ Β βββ {31B2F340-016D-11D2-945F-00C04FB984F9}
βΒ Β βΒ Β βββ GPT.INI
βΒ Β βΒ Β βββ MACHINE
βΒ Β βΒ Β βΒ Β βββ Microsoft
βΒ Β βΒ Β βΒ Β βΒ Β βββ Windows NT
βΒ Β βΒ Β βΒ Β βΒ Β βββ SecEdit
βΒ Β βΒ Β βΒ Β βΒ Β βββ GptTmpl.inf
βΒ Β βΒ Β βΒ Β βββ Registry.pol
βΒ Β βΒ Β βββ USER
βΒ Β βββ {6AC1786C-016F-11D2-945F-00C04fB984F9}
βΒ Β βββ GPT.INI
βΒ Β βββ MACHINE
βΒ Β βΒ Β βββ Microsoft
βΒ Β βΒ Β βββ Windows NT
βΒ Β βΒ Β βββ SecEdit
βΒ Β βΒ Β βββ GptTmpl.inf
βΒ Β βββ USER
βββ scripts
The GptTmpl.inf files are interesting and reveal some information about the domainβs group policies, including password policy, but none of it directly contributes to us gaining more privileged access.